Software security practices continue to lag

By Michelle Davidson, Site Editor 18 Apr 2007 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

SAN MATEO, CALIF. -- The state of software security is getting better, but there's still quite a way to go.

That was the message at this week's Software Security Summit where security officers, development managers, analysts and developers gathered to learn about threats to software and how to prevent their applications from falling victim to attack.

"Software security awareness is getting better, but there's still a lot of people who don't know about it," said Gary McGraw, CTO of security firm Cigital. "More people need to be aware."

Danny Allan, director of strategic research at Watchfire, agreed with McGraw that awareness is growing, but he said the industry is still having trouble communicating the importance of software security.

"We've driven awareness to the CEO level, but we haven't shown them how to address the issue. We haven't answered the questions of why are we having bugs," Allan said. "We're instead saying what the problems are. The causes have not changed in 15 years. We have new bugs, but the same causes."

Security testing is not just verifying software works as intended, but making sure it doesn't have extra features [that can be expoited]. Herbert H. Thompson, Ph.D. Chief security strategist, People Security

For companies to address the software security issue, they need a plan, both McGraw and Allan said. On top of that, they need a portal -- a place to store information such as patters, guidelines and code samples -- they need to align security with the software development life cycle (SDLC), and they need training.

That training applies to architects, software testers and developers.

Chris Bush, an information security analyst at KeyBank, said he's starting to see companies provide training and education for developers and that's increasing their awareness of the problem.

"Developers are smart people. It doesn't take much for them to understand what's going on," he said.

Herbert H. Thompson, Ph.D., chief security strategist at People Security, echoed that in his keynote address Monday. "Developers are smart people who want to do the right thing. Incomplete requirements, undocumented assumptions, the lack of security knowledge and bad metrics can push them to do the wrong thing," he said.

Getting into the mind of a hacker
Thompson strongly urged people to think like bad guys to make sure their software is being reviewed and tested properly. There are lots of things people can learn from how people break software, he said.

"We need to think like the bad guy and consider business risks," Thompson said. "We need to know 'hackernomics' -- the social science of thinking like the bad guy."

To help attendees better understand software attacks and hackers, Thompson outlined five facts about hackers and software security.

1. Most attackers aren't evil or insane. They just want something.

"This is good news because we can't protect against someone who's fundamentally evil, but we can protect against someone who's sane and motivated," Thompson said. "We don't have the budget to protect against evil people, but we can protect against people who will look for weaker targets."

2. Hackers may attack you, but auditors will show up. Security isn't about security; it's about mitigating risk at some cost. A common pitfall, however, is that In the absence of metrics, companies tend to over focus on risks that are familiar or recent.

3. Most costly breaches come from simple failures, not from attacker ingenuity. It's usually silly policy stuff. However, Thompson warned, bad guys can be very creative if properly "incentivized."

4. In the absence of security education or experience, people naturally make poor security decisions with technology. Software needs to be easy to use securely and difficult to use insecurely. Software makers need to give users guidance for how to do something. You can't assume they'll make good security decisions.

5. Attackers don't get in by breaching a security mechanism; they leverage functionality in some unexpected way.

What that means is the software had some functionality that was never intended, Thompson said. It isn't necessarily a flaw, just extra features.

"Security testing is not just verifying software works as intended, but making sure it doesn't have extra features," he said. "In the process of doing B, it also does C, D and E."

How to prevent attacks
Thompson said companies need to rethink what security testing is all about. "I propose it is about finding business risks that come from software," he said. "Verify the process of the security functionality, verify the functional code behaves securely, and think like the bad guy and consider the business risks."

Thompson also said companies need to methodically attack (test) the software and systems themselves. Attack dependencies, attack the user interface, attack the design and attack the implementation.

Software security strategies How to attack (test) software yourself Building security into the software development lifecycle Application design critical to improving security Five application security threats and how to counter them Reason for application vulnerabilities

More than that, Allan said, is getting companies to integrate security throughout the development lifecycle, including requirements, architecture, development and quality assurance.

"That, however, will require changing the culture so they can understand the causes for the security problems," he said. "Then we can get to a much broader coverage of security."

Companies need to understand the importance of finding vulnerabilities early in the development life cycle, Bush added.

"What we've tried to do now is make project teams understand that we're here to help find vulnerabilities as early as possible," he said. "It's difficult to quantify how much it costs to have secure software. I just know we can help them save costs by finding bugs earlier."

But software security companies and experts have to focus on giving companies a practical way to improve the security of their applications. "We know where we are, we know where we want to go; we have to give them a way to get there -- a roadmap," Allan said.

Tags: Building security into the SDLC (Software development life cycle),  Software security testing and techniques,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' Software security testing and techniques Web server weaknesses you don't want to overlook Using firewalls for software testing: Pros and cons Beating software's cross-site scripting, authentication problems Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary